Olmarik Virus

  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

hello, i'm new. the reason for writing this is because my computer has an olmarik trojan which spydoctor, malawarebytes and eset cannot remove. when i do searches on google i get diverted to other sites which i am not familiar with, i cannot do searches as i cannot get the correct information. yesterday i tried doing a search and it took me to a porn site. i need help resolving this problem. i called micro center and explained the problem and they want me to take my computer in and they will remove it along with all my programs and files. i don't want to do this as i've acquired other things since i got the computer. they want to swipe it clean. i've paid for all the programs i've added and don't want to lose them. i'd appreciate any help as it has gotten very frustrating, don't understand why i got this trojan. where did i pick it up? well, thank you very much in advance.

ps: i did do a search here regarding the virus and downloaded gmer.exe and otlistit2, but don't know what to do, don't want to exacerbate the problem.

ran hijackthis and this is what report said:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:24 PM, on 12/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go./fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go./fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:///fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search./search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware (registration)] regsvr32.exe /s "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll"
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-C4LFO.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O20 - AppInit_DLLs: c:\windows\system32\namivazo.dll C:\WINDOWS\system32\sezuhome.dll c:\windows\system32\zitetufu.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\My Documents\My Pictures\Haido\hello.JPG

--
End of file - 7935 bytes

which files do i need to delete?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -

O20 - AppInit_DLLs: c:\windows\system32\namivazo.dll C:\WINDOWS\system32\sezuhome.dll c:\windows\system32\zitetufu.dll
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

Thank you, will try and get back to you with the results... Been busy baking cookies, later...
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

fixed the list of things given, still being diverted to other sites - no change. here is another hijackthis scan log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:02 AM, on 12/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go./fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go./fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search./search?fr=&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\My Documents\My Pictures\Haido\hello.JPG

--
End of file - 6957 bytes
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

If you didn't set the pages below, delete them. I don't see anything else although I recommend that you uninstall all toolbars.

The name servers are listed as Verizon. Are you on Verizon?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go./fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go./fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search./search?fr=&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

ok will do, when i get back. i'll let you know. thank you.
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

Yes, I use Verizon. Fixed the following as suggested:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = /fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go./fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:///fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go./fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search./search?fr=&p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

Still being diverted to unknown sites...

Ran another hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:02 PM, on 12/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\GridService\peer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Grid Service] "C:\Program Files\GridService\peer.exe" -n Grid
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\My Documents\My Pictures\Haido\hello.JPG

--
End of file - 5896 bytes

i'd like to remove this virus, as I can't do searches. Thanks for any help.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

C:\Program Files\GridService\peer.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

nwprovau.dll can be a legitimate file but it can be a problem as well. If you know how to check md5 hash, it's
5C08A9754168D73C6CA674DB605319E0
Other wise I would take a chance on deleting it, since hijack this seems to think it's unknown.
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

did as suggested, and got this notice: hijackthis cannot repair O10 Winsock LSP entries. You should use LSPFix for that, which is available from... If o10 item belongs to Webhancer, Net Net or CommonName, Spybot S&D can remove it automatically. Spybot S&D is available from....

here is another hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:31 PM, on 12/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Elia Sanchez\My Documents\My Pictures\Haido\hello.JPG

--
End of file - 5864 bytes

did another google search and was diverted to bubblegum com????? am going to go insane. thank you.

btw, the machine is running a little faster, but tried doing another google search and was diverted again.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Try LAPFix or go to the directory & delete the file manually.

http://www.cexx.org/lspfix.htm
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

Ran ATF Cleaner and Combo Fix, here is the ComboFix log:

ComboFix 09-12-27.04 - XXXX XXXXXXX 12/28/2009 14:33:48.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1622 [GMT -5:00]
Running from: c:\documents and settings\Elia Sanchez\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Adobe\sp.DLL
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
H:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://armmf.adobe com
.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-28 )))))))))))))))))))))))))))))))
.

2009-12-28 18:41 . 2009-12-28 18:41 -------- d-----w- c:\program files\ESET
2009-12-23 02:44 . 2009-12-23 02:44 -------- d-----w- c:\program files\Trend Micro
2009-12-23 02:38 . 2009-12-23 02:38 -------- d-----w- c:\program files\TrendMicro
2009-12-10 03:46 . 2009-12-28 17:51 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-10 03:46 . 2009-12-28 17:50 -------- d-----w- c:\program files\Spyware Doctor
2009-12-09 22:05 . 2009-12-09 22:05 -------- d-----w- c:\documents and settings\Elia Sanchez\Local Settings\Application Data\Threat Expert
2009-12-09 18:05 . 2009-12-09 18:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-12-09 14:30 . 2009-12-09 14:30 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-09 13:40 . 2009-12-10 02:11 -------- dc----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-12-09 13:40 . 2009-12-09 13:40 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\PC Tools
2009-12-09 13:18 . 2009-12-09 20:15 -------- dc----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-12-09 05:14 . 2009-12-09 05:14 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware com
2009-12-09 05:13 . 2009-12-09 20:11 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\SUPERAntiSpyware com
2009-12-09 05:13 . 2009-12-09 20:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-08 19:37 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2009-12-07 03:43 . 2009-12-07 03:43 -------- dc----w- C:\$AVG
2009-12-07 03:42 . 2009-12-07 03:42 -------- d-----w- c:\program files\AVG
2009-12-07 03:42 . 2009-12-09 18:30 -------- dc----w- c:\documents and settings\All Users\Application Data\avg9
2009-12-07 03:42 . 2009-12-07 17:23 -------- d-----w- c:\windows\SxsCaPendDel
2009-12-06 17:52 . 2009-12-06 17:52 -------- d-----w- c:\program files\2Convert net
2009-12-05 22:13 . 2009-12-05 22:13 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\AnvSoft
2009-12-05 18:44 . 2009-12-05 18:44 -------- d-----w- c:\documents and settings\Elia Sanchez\Local Settings\Application Data\Downloaded Installations
2009-12-05 05:19 . 2009-12-05 05:19 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\STOIK
2009-12-02 23:16 . 2009-12-02 23:16 -------- dc-h--w- c:\documents and settings\All Users\Application Data\CanonIJEGV
2009-12-02 23:14 . 2009-12-02 23:14 -------- dc-h--w- c:\documents and settings\All Users\Application Data\CanonIJScan
2009-12-02 23:14 . 2009-12-02 23:18 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\Canon
2009-12-02 23:06 . 2009-12-02 23:06 -------- d-----w- c:\program files\ArcSoft
2009-12-02 23:06 . 1995-08-01 09:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-12-02 23:05 . 2009-12-02 23:05 -------- d-----w- c:\program files\Common Files\CANON
2009-12-02 23:03 . 2009-12-02 23:03 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-12-02 23:03 . 2008-04-18 13:51 598016 ----a-w- c:\windows\system32\CNQ4807L.DLL
2009-12-02 23:03 . 2008-04-07 14:58 1339392 ----a-w- c:\windows\system32\CNQ4807C.DLL
2009-12-02 23:03 . 2008-04-07 14:58 98304 ----a-w- c:\windows\system32\CNQ4807I.DLL
2009-12-02 23:03 . 2007-03-15 14:12 188416 ----a-w- c:\windows\system32\CNQ4807O.DLL
2009-12-02 23:03 . 2009-12-02 23:03 -------- d--h--w- c:\program files\CanonBJ
2009-12-02 23:02 . 2009-12-02 23:06 -------- d-----w- c:\program files\Canon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-28 17:51 . 2007-11-19 22:23 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\uTorrent
2009-12-28 17:50 . 2008-06-26 02:09 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-27 19:21 . 2009-04-10 10:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-27 18:50 . 2009-09-19 22:46 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\vlc
2009-12-21 18:03 . 2002-08-29 07:27 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-20 02:03 . 2005-10-29 12:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-09 14:31 . 2003-12-16 03:31 -------- d-----w- c:\program files\Common Files\Real
2009-12-09 14:29 . 2003-08-05 18:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-12-09 14:29 . 2003-08-05 18:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-12-09 14:29 . 2003-12-16 03:31 -------- d-----w- c:\program files\Real
2009-12-09 13:17 . 2006-05-13 23:54 -------- d-----w- c:\program files\Google
2009-12-05 23:42 . 2009-07-19 02:54 -------- d-----w- c:\program files\Aimersoft
2009-12-05 05:24 . 2003-12-16 03:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-24 21:04 . 2009-11-24 21:04 -------- d-----w- c:\program files\MSXML 4.0
2009-11-21 15:51 . 2002-08-29 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 05:01 . 2008-02-03 05:12 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\Orbit
2009-11-20 04:59 . 2009-09-26 11:52 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\dvdcss
2009-11-19 02:33 . 2009-11-19 01:55 2695 ----a-w- c:\windows\checkip.dat
2009-11-19 01:20 . 2009-11-19 01:20 -------- d-----w- c:\program files\Linksys
2009-11-10 09:08 . 2006-06-03 19:54 -------- d-----w- c:\documents and settings\Elia Sanchez\Application Data\Apple Computer
2009-11-02 03:49 . 2009-04-09 16:48 -------- d-----w- c:\program files\iTunes
2009-11-02 03:47 . 2006-06-03 19:46 -------- d-----w- c:\program files\iPod
2009-11-02 03:47 . 2007-12-08 02:35 -------- d-----w- c:\program files\Common Files\Apple
2009-11-02 02:52 . 2009-11-02 02:52 79144 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:45 . 2005-06-18 04:49 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2002-08-29 11:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2002-08-29 11:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2002-08-29 11:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-09 198160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Elia Sanchez\My Documents\My Pictures\Haido\hello.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.sys

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-06-22 04:48 155648 ----a-w- c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-01-09 02:17 52256 ----a-w- c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2007-03-15 01:01 71216 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\GridService\\peer.exe"=
"c:\\WINDOWS\\network diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\KeyHoleTV\\KeyHoleTV.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [2/6/2009 11:56 AM 106208]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfwtdir.sys [2/6/2009 11:58 AM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 11:57 AM 727720]
R3 INIDVD;Initio USB DVD Filter Driver;c:\windows\SYSTEM32\DRIVERS\inidvd.sys [4/24/2009 6:31 PM 7936]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]
S2 avg9emc;AVG Free E-mail Scanner;"c:\program files\AVG\AVG9\avgemc.exe" --> c:\program files\AVG\AVG9\avgemc.exe [?]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\SYSTEM32\DRIVERS\WUSB54GCv3.sys [11/18/2009 8:08 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = 687474703a2f2f7777772e476f6f676c652e636f6d2f
Trusted Zone: internet
Trusted Zone: mcafee com
TCP: {038BBBA4-2129-40DB-B339-796A222DB2C7} = 71.243.0.12 71.250.0.12
FF - ProfilePath - c:\documents and settings\Elia Sanchez\Application Data\Mozilla\Firefox\Profiles\3q7si265.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.searchcanvas com/web?ot=7&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo com
FF - prefs.js: keyword.URL - hxxp://www.searchcanvas com/web?ot=8&q=
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AntiSpyCheck 2 - c:\program files\AntiSpyCheck 2.1\AntiSpyCheck 2.1.exe
MSConfigStartUp-Calendarscope - c:\program files\Calendarscope\cs.exe
MSConfigStartUp-InCD - c:\program files\Nero\Nero 7\InCD\InCD.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
MSConfigStartUp-SecurDisc - c:\program files\Nero\Nero 7\InCD\NBHGui.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-WinAble - c:\program files\WinAble\winable.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer net
Rootkit scan 2009-12-28 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AA86618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xf7439bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7446a21
SendHandler -> NDIS.sys @ 0xf742487b
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\INIDVD]
"ImagePath"=multi:"system32\DRIVERS\inidvd.sys\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(872)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\BCMSMMSG.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-28 15:15:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-28 20:15
ComboFix2.txt 2009-05-07 20:32

Pre-Run: 13,690,019,840 bytes free
Post-Run: 13,613,780,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - B101F238FBD050BF22C6F7D66EFE1DDB

here's the latest hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:17 PM, on 12/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{038BBBA4-2129-40DB-B339-796A222DB2C7}: NameServer = 71.243.0.12 71.250.0.12
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Elia Sanchez\My Documents\My Pictures\Haido\hello.JPG

--
End of file - 6242 bytes

Will do the LapFix and get back to you later. Thanks...
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

Ran lapfix and fixed O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll. did another google search and am still being diverted.

Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:22 PM, on 12/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft0000/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft0000/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft0000/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee0000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - Unknown owner - C:\Program Files\AVG\AVG9\avgemc.exe (file missing)
O23 - Service: AVG Free WatchDog (avg9wd) - Unknown owner - C:\Program Files\AVG\AVG9\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Elia Sanchez\My Documents\My Pictures\Haido\hello.JPG

--
End of file - 5862 bytes
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

There has to be a script running from somewhere. If it's just a script & not an exe, it won't show in hijack this. You have posted 6 hijack this logs. Don't post anymore. Another approach is needed.

Is the redirect happening in more than one browser? To what sites are you being redirected?

Run ipconfig /all from a command prompt & post the output.
Do the same with netstat -an
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

both ie and firefox are affected.

ran ipconfig /all and netstat -an. the reports won't let me copy them as they disappear as soon as they have finished...
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

You have to be kidding me. Run it from a command prompt, not the run box.
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

pardon my ignorance...

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\ELIASA~1>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : DBQDF041
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain_not_set.invalid

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : domain_not_set.invalid
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
Physical Address. . . . . . . . . : 00-0D-56-5B-62-AE
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
207.244.64.140
Lease Obtained. . . . . . . . . . : Monday, December 28, 2009 5:32:18 PM

Lease Expires . . . . . . . . . . : Tuesday, December 29, 2009 5:32:18 P
M

PPP adapter My ISP:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 72.93.181.141
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 72.93.181.141
DNS Servers . . . . . . . . . . . : 71.243.0.12
71.250.0.12

C:\DOCUME~1\ELIASA~1>

Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.

C:\DOCUME~1\ELIASA~1>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:42215 0.0.0.0:0 LISTENING
TCP 72.93.181.141:139 0.0.0.0:0 LISTENING
TCP 72.93.181.141:1239 219.74.106.183:19401 ESTABLISHED
TCP 72.93.181.141:1240 94.23.146.116:62853 ESTABLISHED
TCP 72.93.181.141:1267 186.58.142.189:45304 ESTABLISHED
TCP 72.93.181.141:1280 67.184.253.233:52607 ESTABLISHED
TCP 72.93.181.141:1293 67.184.253.233:52607 ESTABLISHED
TCP 72.93.181.141:1299 124.209.229.236:50001 ESTABLISHED
TCP 72.93.181.141:1308 186.58.142.189:45304 ESTABLISHED
TCP 72.93.181.141:1327 125.85.33.95:20157 ESTABLISHED
TCP 72.93.181.141:1328 68.45.151.16:62162 ESTABLISHED
TCP 72.93.181.141:1330 80.47.156.228:62149 ESTABLISHED
TCP 72.93.181.141:1353 67.33.111.151:12120 ESTABLISHED
TCP 72.93.181.141:1370 58.85.100.237:29940 ESTABLISHED
TCP 72.93.181.141:1376 58.8.172.91:26075 ESTABLISHED
TCP 72.93.181.141:1377 200.168.131.210:37953 ESTABLISHED
TCP 72.93.181.141:1383 121.106.154.36:18813 ESTABLISHED
TCP 72.93.181.141:1408 124.27.233.171:9652 ESTABLISHED
TCP 72.93.181.141:1413 118.237.156.66:53188 ESTABLISHED
TCP 72.93.181.141:1424 118.96.120.33:55433 ESTABLISHED
TCP 72.93.181.141:1449 208.120.221.123:56517 ESTABLISHED
TCP 72.93.181.141:1461 173.52.227.198:37018 ESTABLISHED
TCP 72.93.181.141:1462 125.119.166.190:37939 ESTABLISHED
TCP 72.93.181.141:1466 113.68.105.41:47416 ESTABLISHED
TCP 72.93.181.141:1467 114.32.8.190:22403 ESTABLISHED
TCP 72.93.181.141:1470 186.58.142.189:45304 ESTABLISHED
TCP 72.93.181.141:1475 98.192.103.18:12235 ESTABLISHED
TCP 72.93.181.141:1484 58.85.100.237:29940 ESTABLISHED
TCP 72.93.181.141:1493 58.85.100.237:29940 ESTABLISHED
TCP 72.93.181.141:2048 64.233.169.149:80 ESTABLISHED
TCP 72.93.181.141:2197 74.125.113.100:80 ESTABLISHED
TCP 72.93.181.141:2228 208.19.38.51:80 TIME_WAIT
TCP 72.93.181.141:2230 208.19.38.56:80 TIME_WAIT
TCP 72.93.181.141:2236 208.19.38.56:80 TIME_WAIT
TCP 72.93.181.141:2354 124.154.2.151:6881 ESTABLISHED
TCP 72.93.181.141:2503 64.233.169.157:80 ESTABLISHED
TCP 72.93.181.141:2504 64.233.169.157:80 ESTABLISHED
TCP 72.93.181.141:2506 64.233.169.157:80 ESTABLISHED
TCP 72.93.181.141:2800 218.110.119.116:19051 ESTABLISHED
TCP 72.93.181.141:2830 208.19.38.32:80 ESTABLISHED
TCP 72.93.181.141:2847 208.19.38.56:80 ESTABLISHED
TCP 72.93.181.141:2861 64.233.169.148:80 ESTABLISHED
TCP 72.93.181.141:2863 64.233.169.148:80 ESTABLISHED
TCP 72.93.181.141:2867 208.19.38.65:80 ESTABLISHED
TCP 72.93.181.141:2874 74.125.93.149:80 ESTABLISHED
TCP 72.93.181.141:2984 96.48.110.24:64054 TIME_WAIT
TCP 72.93.181.141:2986 60.53.162.149:7407 CLOSING
TCP 72.93.181.141:3019 87.254.135.57:19847 TIME_WAIT
TCP 72.93.181.141:3034 58.233.95.34:33660 TIME_WAIT
TCP 72.93.181.141:3040 190.21.53.30:36429 TIME_WAIT
TCP 72.93.181.141:3054 98.155.160.28:56733 TIME_WAIT
TCP 72.93.181.141:3082 211.19.23.83:22222 ESTABLISHED
TCP 72.93.181.141:3114 218.110.119.116:19051 ESTABLISHED
TCP 72.93.181.141:3128 84.231.77.248:25125 ESTABLISHED
TCP 72.93.181.141:3135 82.255.224.116:12642 TIME_WAIT
TCP 72.93.181.141:3148 96.48.110.24:64054 TIME_WAIT
TCP 72.93.181.141:3153 75.80.206.224:23750 LAST_ACK
TCP 72.93.181.141:3154 201.95.48.183:56528 ESTABLISHED
TCP 72.93.181.141:3160 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3161 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3164 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3166 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3170 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3171 72.196.147.64:22934 ESTABLISHED
TCP 72.93.181.141:3173 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3175 121.227.1.129:40033 ESTABLISHED
TCP 72.93.181.141:3176 190.21.53.30:36429 TIME_WAIT
TCP 72.93.181.141:3178 189.74.168.148:46882 CLOSE_WAIT
TCP 72.93.181.141:3179 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3180 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3181 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3182 188.40.119.11:7531 SYN_SENT
TCP 72.93.181.141:3183 112.142.82.93:34365 SYN_SENT
TCP 72.93.181.141:42215 60.50.231.224:2253 ESTABLISHED
TCP 72.93.181.141:42215 72.93.181.141:2990 TIME_WAIT
TCP 72.93.181.141:42215 81.24.164.102:2527 ESTABLISHED
TCP 72.93.181.141:42215 82.236.80.7:1033 ESTABLISHED
TCP 72.93.181.141:42215 91.204.148.73:56746 ESTABLISHED
TCP 72.93.181.141:42215 94.98.14.17:56970 ESTABLISHED
TCP 72.93.181.141:42215 96.252.219.74:59602 ESTABLISHED
TCP 72.93.181.141:42215 114.128.180.48:50729 ESTABLISHED
TCP 72.93.181.141:42215 118.160.20.117:56569 ESTABLISHED
TCP 72.93.181.141:42215 123.227.42.209:53411 ESTABLISHED
TCP 72.93.181.141:42215 124.9.135.197:2866 ESTABLISHED
TCP 72.93.181.141:42215 124.157.214.110:61383 ESTABLISHED
TCP 72.93.181.141:42215 124.160.47.88:3068 ESTABLISHED
TCP 72.93.181.141:42215 173.16.18.34:60654 ESTABLISHED
TCP 72.93.181.141:42215 189.153.191.14:49720 ESTABLISHED
TCP 72.93.181.141:42215 200.155.31.172:62062 ESTABLISHED
TCP 72.93.181.141:42215 202.84.109.46:3136 ESTABLISHED
TCP 72.93.181.141:42215 218.110.119.116:54714 TIME_WAIT
TCP 72.93.181.141:42215 218.110.119.116:54744 TIME_WAIT
TCP 72.93.181.141:42215 218.110.119.116:54801 TIME_WAIT
TCP 72.93.181.141:42215 218.110.119.116:54830 TIME_WAIT
TCP 72.93.181.141:42215 219.194.96.213:3921 ESTABLISHED
TCP 72.93.181.141:42215 219.194.96.213:3994 ESTABLISHED
TCP 72.93.181.141:42215 219.194.96.213:4006 ESTABLISHED
TCP 72.93.181.141:42215 220.220.175.157:56301 ESTABLISHED
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1032 127.0.0.1:27015 ESTABLISHED
TCP 127.0.0.1:2010 127.0.0.1:2011 ESTABLISHED
TCP 127.0.0.1:2011 127.0.0.1:2010 ESTABLISHED
TCP 127.0.0.1:2013 127.0.0.1:2014 ESTABLISHED
TCP 127.0.0.1:2014 127.0.0.1:2013 ESTABLISHED
TCP 127.0.0.1:2047 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2196 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2227 127.0.0.1:30606 TIME_WAIT
TCP 127.0.0.1:2229 127.0.0.1:30606 TIME_WAIT
TCP 127.0.0.1:2235 127.0.0.1:30606 TIME_WAIT
TCP 127.0.0.1:2501 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2502 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2505 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2507 127.0.0.1:30606 CLOSE_WAIT
TCP 127.0.0.1:2829 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2846 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2860 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2862 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2866 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2873 127.0.0.1:30606 ESTABLISHED
TCP 127.0.0.1:2949 127.0.0.1:30606 TIME_WAIT
TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5152 127.0.0.1:2012 CLOSE_WAIT
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING
TCP 127.0.0.1:27015 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:30606 0.0.0.0:0 LISTENING
TCP 127.0.0.1:30606 127.0.0.1:2047 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2196 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2501 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2502 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2505 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2509 TIME_WAIT
TCP 127.0.0.1:30606 127.0.0.1:2511 TIME_WAIT
TCP 127.0.0.1:30606 127.0.0.1:2751 TIME_WAIT
TCP 127.0.0.1:30606 127.0.0.1:2817 TIME_WAIT
TCP 127.0.0.1:30606 127.0.0.1:2821 TIME_WAIT
TCP 127.0.0.1:30606 127.0.0.1:2829 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2833 TIME_WAIT
TCP 127.0.0.1:30606 127.0.0.1:2846 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2860 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2862 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2866 ESTABLISHED
TCP 127.0.0.1:30606 127.0.0.1:2873 ESTABLISHED
TCP 192.168.0.2:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1025 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:6771 *:*
UDP 0.0.0.0:42215 *:*
UDP 0.0.0.0:52283 *:*
UDP 72.93.181.141:123 *:*
UDP 72.93.181.141:137 *:*
UDP 72.93.181.141:138 *:*
UDP 72.93.181.141:1900 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1045 *:*
UDP 127.0.0.1:1900 *:*
UDP 192.168.0.2:123 *:*
UDP 192.168.0.2:137 *:*
UDP 192.168.0.2:138 *:*
UDP 192.168.0.2:1900 *:*
UDP 192.168.0.2:5353 *:*

C:\DOCUME~1\ELIASA~1>
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

What a mess!!! I don't know where to start. First of all, why is your PC working off of an internal & an external IP at the same time?

Secondly, I see a bunch of what appears to be trojan connections to Thailand, Korea, Brazil & Saudi Arabia, just to name a few.

Another thing:
DNS Servers . . . . . . . . . . . : 192.168.0.1
207.244.64.140 <----- Why is that IP under DNS? It belongs to the Pea Island Computing Corp. Who are they?

That PC needs some massive cleaning & there seems to be something wrong the way it's connected to the internet. Did you add an extra router or something.

I don't know what else I can suggest. It's too much to explain over the internet since it involves the registry & other deep cleaning.
  • eriasan
  • Newbie
  • Newbie
  • eriasan
  • Posts: 11

Post 3+ Months Ago

well, thanks for taking a look. have no idea what all this is, so i guess i'll have to live with it. thanks for your efforts.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Don't do any online banking or anything personal with that machine.
  • Ashish92
  • Newbie
  • Newbie
  • Ashish92
  • Posts: 10

Post 3+ Months Ago

i will suggest you to get professional front to front help you can ask the professionals to provide you a backup.


moreover i searched on net about olmarik and according o the results olmarik virus mainly corrupts your softwares and in the final stage it hacks your browser and opens other sites at random.

from the solutions available over net olmarik virus must be cleaned in a multi-step way and it's identification are processes with UAC suffix running in background.

that's all i can say now and yes i agree with don your connection details are very messy.

Post Information

  • Total Posts in this topic: 20 posts
  • Users browsing this forum: No registered users and 64 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.